Configuration data in Microservices Registry of Microservices Engine (MSE) is stored in plaintext. MSE is integrated with Key Management Service (KMS) to allow you to encrypt and decrypt configuration data, such as data sources, tokens, usernames, and passwords. This helps reduce the risk of sensitive data leaks.
Prerequisites
MSE is activated. For more information, see Activate MSE.
A Nacos engine that uses the Developer Edition or Professional Edition is created. For more information, see Create a Nacos engine.
KMS is activated.
ImportantTo ensure data security, MSE uses Alibaba Cloud KMS to encrypt and decrypt data. If you activate KMS after March 31, 2022, you must purchase Dedicated KMS. For more information, see [Upgrade Announcement] KMS is upgraded to Dedicated KMS. For more information about KMS billing, see Billing of KMS.
Create encrypted configurations
To create encrypted configurations in the MSE console, perform the following steps:
You must use the AccessKey pair of your Alibaba Cloud account or a RAM user to use the configuration encryption and decryption features of MSE.
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose .
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose .
On the page that appears, select a namespace in the upper-left corner, and click Add Configuration.
In the Add Configuration panel, turn on the Data Encryption switch.
In the Data Encryption section, check whether KMS is activated. If KMS is not activated, activate it first.
If you activate KMS in the Data Encryption section after March 31, 2022, you must select the ID of a key that is used for encryption and associate the key with the MSE Nacos instance. This way, all subsequent configurations are encrypted by using the key. You can create and use a key in KMS.
ImportantDo not delete or disable the key that is associated with the MSE Nacos instance. Otherwise, encrypted configurations cannot be decrypted.
Refresh the Add Configuration panel and select an encryption method for KMS.
Parameter
Description
KMS AES-256
If you select this option, the envelope encryption and decryption method of KMS is used. The size of the configuration data that you want to encrypt cannot exceed 50 KB. The configuration data in plaintext is not transmitted to KMS. We recommend that you select this option, which is more secure. Select an encryption method based on your business requirements.
Select a configuration format in the Configuration Format section, enter the configuration content in the Description section, and then click Release.
Use an encrypted configuration based on KMS V1.0
Nacos SDK for Java
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose .
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose .
Select a Namespace, find the desired configuration, and then click the data ID of the configuration in the Data ID column. On the configuration details page, click the Sample Code tab.
Use an encrypted configuration.
Use an encrypted configuration by assuming a RAM role
Add the following dependencies to the code:
<dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client</artifactId> <version>1.4.3</version> </dependency> <dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client-mse-extension</artifactId> <version>1.0.4</version> </dependency>Version description
ImportantStability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Nacos client major version
Nacos client version
Recommended plug-in version
V1.x
V1.4.3 or later
1.0.2 or later
V2.x
V2.1.1 or later
1.0.4 or later
Select the valid code that you want to configure based on the framework type that you use.
If you use the Nacos client framework to obtain configurations, you must configure the following sample code.
Configure the serverAddr, ramRoleName, regionId, dataid, and group parameters in the code based on your business requirements.
try { Properties properties = new Properties(); properties.put("serverAddr", "mse-xxxxxx-p.nacos-ans.mse.aliyuncs.com"); properties.put("ramRoleName", "<RAM role assigned to an Elastic Compute Service (ECS) instance or a Container Service for Kubernetes (ACK) cluster>"); properties.put("keyId", "alias/acs/mse"); // This is the fixed value for KMS V1.0. properties.put("kms_region_id", "cn-hangzhou"); properties.put("kmsVersion", "v1.0"); ConfigService configService = NacosFactory.createConfigService(properties); System.out.println("content:::"+configService.getConfig("cipher-kms-aes-256-dataid", "group", 6000)); } catch (Exception e) { e.printStackTrace(); }If you use the Spring Cloud Nacos Config framework to obtain configurations, you must add the following configurations:
kms_region_id=cn-hangzhouspring.cloud.nacos.config.server-addr=mse-xxxxxxx-p.nacos-ans.mse.aliyuncs.com:8848 spring.cloud.nacos.config.name=cipher-kms-aes-256-dataid spring.cloud.nacos.config.group=group spring.cloud.nacos.config.ramRoleName=<RAM role assigned to an ECS instance or an ACK cluster> spring.cloud.nacos.config.kms_region_id=cn-hangzhou spring.cloud.nacos.config.keyId=alias/acs/mse spring.cloud.nacos.config.kmsVersion=v1.0
NoteBefore you encrypt configuration data by assuming a RAM role, you must attach the AliyunACMFullAccess and AliyunKMSFullAccess policies to the RAM role. For more information, see RAM roles.
Use an encrypted configuration as a RAM user
Add the following dependencies to the code:
<dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client</artifactId> <version>1.4.3</version> </dependency> <dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client-mse-extension</artifactId> <version>1.0.4</version> </dependency>Version description
ImportantStability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Nacos client major version
Nacos client version
Recommended plug-in version
V1.x
V1.4.3 or later
1.0.2 or later
V2.x
V2.1.1 or later
1.0.3
Select the valid code that you want to configure based on the framework type that you use.
If you use the Nacos client framework to obtain configurations, you must configure the following sample code.
Configure the serverAddr, accessKey, secretKey, regionId, dataid, and group parameters in the code based on your business requirements.
NoteThe environment variables for the AccessKey ID and AccessKey secret that are used to log on to MSE are MSE_AK and MSE_SK.
try { Properties properties = new Properties(); properties.put("serverAddr", "mse-xxxxxx-p.nacos-ans.mse.aliyuncs.com"); properties.put("accessKey", "MSE_AK"); properties.put("secretKey", "MSE_SK"); properties.put("keyId", "alias/acs/mse"); properties.put("kms_region_id", "cn-hangzhou"); properties.put("kmsVersion", "v1.0"); ConfigService configService = NacosFactory.createConfigService(properties); System.out.println("content:::"+configService.getConfig("cipher-kms-aes-256-dataid", "group", 6000)); } catch (Exception e) { e.printStackTrace(); }If you use the Spring Cloud Nacos Config framework to obtain configurations, you must add the following configurations. You must also use the JVM system parameter -D or environment variables to specify the region where the MSE instance resides. For example, if the MSE instance resides in the China (Hangzhou) region, set
-Dkms_region_idto cn-hangzhou.spring.cloud.nacos.config.server-addr=mse-xxxxxxx-p.nacos-ans.mse.aliyuncs.com:8848 spring.cloud.nacos.config.name=cipher-kms-aes-256-dataid spring.cloud.nacos.config.group=group spring.cloud.nacos.config.access-key=MSE_AK spring.cloud.nacos.config.secret-key=MSE_SK spring.cloud.nacos.config.kms_region_id=cn-hangzhou spring.cloud.nacos.config.keyId=alias/acs/mse spring.cloud.nacos.config.kmsVersion=v1.0
NoteYou can use the AccessKey ID and AccessKey secret of your Alibaba Cloud account to obtain configuration data. However, we recommend that you use the AccessKey ID and AccessKey secret of a RAM user to obtain configuration data. Before you encrypt configuration data as a RAM user, you must attach the AliyunACMFullAccess and AliyunKMSFullAccess policies to the RAM user. For more information, see RAM users.
Nacos SDK for Go
Use an encrypted configuration as a RAM user
To obtain the sample code that uses encrypted configurations and initialize parameters in the code as a RAM user, perform the following steps:
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose .
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose .
Select a Namespace, find the desired configuration, and then click the data ID of the configuration in the Data ID column. On the configuration details page, click the Sample Code tab. In the left-side navigation pane of the Sample Code tab, click Go. Use the displayed sample code in your project.
Run the
go getcommand to download dependencies in theNacos client SDK for Go.go get -u github.com/nacos-group/nacos-sdk-go/v2@v2.2.5Version description
Stability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Version supported by the plug-in
Nacos client version
KMS V1.0
V2.0.0 or later (The latest version is recommended.)
Modify the initial configuration of the Nacos client.
Configure the {server - addr}, {AK}, and {SK} parameters in the code based on your business requirements, and specify the
OpenKMS: trueandKMSVersion: KMSv1configurations to enable KMS-based encryption.sc := []constant.ServerConfig{ { IpAddr: "{server-addr}", // Configure the IP address of your MSE Nacos instance. Port: 8848, }, } var accessKey = "{AK}" // Configure the AccessKey ID of your account for MSE Nacos instance and KMS authentication. var secretKey = "{SK}" // Configure the AccessKey secret of your account for MSE Nacos instance and KMS authentication. cc := constant.ClientConfig{ NamespaceId: "public", // Configure the ID of the namespace. OpenKMS: true, // Enable configuration encryption by using KMS. KMSVersion: KMSv1, // Use KMS V1.0. AccessKey: accessKey, SecretKey: secretKey, TimeoutMs: 5000, NotLoadCacheAtStart: true, LogDir: "/tmp/nacos/log", CacheDir: "/tmp/nacos/cache", RotateTime: "1h", MaxAge: 3, LogLevel: "debug", RegionId: "cn-hangzhou", }Publish the encrypted configuration.
keyId: the ID of the KMS key that is used to encrypt configurations. This parameter can be ignored if KMS V1.0 is used.configParam := vo.ConfigParam{ DataId: "cipher-kms-aes-256-crypt", Group: "default", Content: "cipher-aes-256", } published, err := client.PublishConfig(configParam) if published && err == nil { fmt.Printf("successfully publish: group[%s], dataId[%s], data[%s]\n", configParam.Group, configParam.DataId, configParam.Content) } else { fmt.Printf("failed to publish: group[%s], dataId[%s], data[%s]\n with error: %s\n", configParam.Group, configParam.DataId, configParam.Content, err) }
Use an encrypted configuration based on KMS V3.0
Prerequisites
A KMS instance is purchased and enabled. For more information, see Purchase and enable a KMS instance.
A key and a secret are created. For more information, see Software-protected key in the "Getting started with Key Management" topic and Getting started with Secrets Manager.
An application access point (AAP) is created, the client key that is bound to the AAP is saved, and a certificate authority (CA) certificate is obtained for the KMS instance. For more information, see Create an AAP.
You must make sure that the application runtime environment can connect to the MSE instance over the Internet or an internal network and to a KMS instance that is in the same virtual private cloud (VPC). If your application runtime environment needs to connect to a KMS instance from another VPC, see Access a KMS instance from multiple VPCs in the same region.
Nacos SDK for Java
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose .
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose .
Select a Namespace, find the desired configuration, and then click the data ID of the configuration in the Data ID column. On the configuration details page, click the Sample Code tab.
Use an encrypted configuration.
Use an encrypted configuration by assuming a RAM role
Add the following dependencies to the code:
<dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client</artifactId> <version>1.4.3</version> </dependency> <dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client-mse-extension</artifactId> <version>1.0.4</version> </dependency>NoteOnly plug-ins of 1.0.3 and later support KMS V3.0 for creating encrypted configurations.
Version description
Stability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Nacos client major version
Nacos client version
Recommended plug-in version
V1.x
V1.4.3 or later
1.0.4 or later
V2.x
V2.1.1 or later
1.0.4 or later
Select the valid code that you want to configure based on the framework type that you use.
If you use the Nacos client framework to obtain configurations, you must configure the following sample code.
Configure the serverAddr, accessKey, secretKey, regionId, kms_region_id, kmsEndpoint, keyId, kmsVersion, kmsClientKeyFilePath, kmsPasswordKey, and kmsCaFilePath parameters in the code based on your business requirements.
try { Properties properties = new Properties(); properties.put("serverAddr", "mse-xxxxxx-p.nacos-ans.mse.aliyuncs.com"); properties.put("ramRoleName", "<RAM role assigned to an ECS instance or an ACK cluster>"); properties.put("regionId", "cn-hangzhou"); properties.put("kms_region_id", "cn-hangzhou"); properties.put("kmsEndpoint", "kst-hzz6xxxr.cryptoservice.kms.aliyuncs.com"); properties.put("keyId", "yourKeyIdOrKeyAlias"); properties.put("kmsVersion", "v3.0"); properties.put("kmsClientKeyContent", "clientKey_content"); // Configure one of the kmsClientKeyContent and kmsClientKeyFilePath parameters. The kmsClientKeyContent parameter takes precedence. // properties.put("kmsClientKeyFilePath", "clientKey_hangzhou.json"); properties.put("kmsPasswordKey", "10xxxd1d"); properties.put("kmsCaFileContent", "ca_content"); // Configure one of the kmsCaFileContent and kmsCaFilePath parameters. The kmsCaFileContent parameter takes precedence. // properties.put("kmsCaFilePath", "ca.pem"); ConfigService configService = NacosFactory.createConfigService(properties); System.out.println("content:::"+configService.getConfig("cipher-kms-aes-256-dataid", "group", 6000)); } catch (Exception e) { e.printStackTrace(); }Parameters
The following table describes the parameters. Make sure that the values you configure are valid.
Parameter
Description
serverAddr
The IP address of your MSE Nacos instance.
ramRoleName
The RAM role that is assigned to the ECS instance or ACK cluster.
regionId
Optional. The ID of the region where your MSE Nacos instance resides.
kms_region_id
Optional. The ID of the region where your KMS instance resides. If this parameter is left empty, the value of
regionIdis used.kmsEndpoint
The endpoint of your KMS instance.
keyId
The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console.
kmsVersion
The KMS version. Set this parameter to v3.0.
kmsClientKeyFilePath
The path of the file that stores the client key of the KMS instance. You can obtain the path when you create the AAP for the KMS instance.
kmsClientKeyContent
The client key of the KMS instance. You can obtain the client key when you create the AAP for the KMS instance.
NoteConfigure one of the
kmsClientKeyContentandkmsClientKeyFilePathparameters. ThekmsClientKeyContentparameter takes precedence.kmsPasswordKey
The password that corresponds to the client key of the KMS instance. You can obtain the password when you create the AAP for the KMS instance.
kmsCaFilePath
The path of the CA certificate that is used by the KMS instance. You can obtain the path when you create the AAP for the KMS instance.
kmsCaFileContent
The content of the CA certificate that is used by the KMS instance. You can obtain the content when you create the AAP for the KMS instance.
NoteConfigure one of the
kmsCaFileContentandkmsCaFilePathparameters. ThekmsCaFileContentparameter takes precedence.If you use the Spring Cloud Nacos Config framework to obtain configurations, you must add the following configurations:
spring.cloud.nacos.config.server-addr=mse-xxxxxxx-p.nacos-ans.mse.aliyuncs.com:8848 spring.cloud.nacos.config.name=cipher-kms-aes-256-dataid spring.cloud.nacos.config.group=group spring.cloud.nacos.config.ramRoleName=<RAM role assigned to an ECS instance or an ACK cluster> spring.cloud.nacos.config.kms_region_id=cn-hangzhou spring.cloud.nacos.config.kmsEndpoint=kst-hzz6xxxr.cryptoservice.kms.aliyuncs.com spring.cloud.nacos.config.keyId=yourKeyIdOrKeyAlias spring.cloud.nacos.config.kmsVersion=v3.0 spring.cloud.nacos.config.kmsClientKeyFilePath=clientKey_hangzhou.json spring.cloud.nacos.config.kmsCaFilePath=clientKey_hangzhou.json spring.cloud.nacos.config.kmsPasswordKey=10xxxd1dNoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore the MSE_AK and MSE_SK configurations.
Use an encrypted configuration as a RAM user
Add the following dependencies to the code:
<dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client</artifactId> <version>1.4.3</version> </dependency> <dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client-mse-extension</artifactId> <version>1.0.4</version> </dependency>NoteOnly plug-ins of 1.0.3 and later support KMS V3.0 for creating encrypted configurations.
Version description
Stability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Nacos client major version
Nacos client version
Recommended plug-in version
V1.x
V1.4.3 or later
1.0.4 or later
V2.x
V2.1.1 or later
1.0.4 or later
Select the valid code that you want to configure based on the framework type that you use.
If you use the Nacos client framework to obtain configurations, you must configure the following sample code.
Configure the serverAddr, accessKey, secretKey, regionId, kms_region_id, kmsEndpoint, keyId, kmsVersion, kmsClientKeyFilePath, kmsPasswordKey, and kmsCaFilePath parameters in the code based on your business requirements.
try { Properties properties = new Properties(); properties.put("serverAddr", "mse-xxxxxx-p.nacos-ans.mse.aliyuncs.com"); // The AccessKey ID and AccessKey secret are used for authentication for the MSE Nacos instance. If RAM authentication is not enabled for your MSE Nacos instance, ignore the MSE_AK and MSE_SK configurations. properties.put("accessKey", "MSE_AK"); properties.put("secretKey", "MSE_SK"); properties.put("regionId", "cn-hangzhou"); properties.put("kms_region_id", "cn-hangzhou"); properties.put("kmsEndpoint", "kst-hzz6xxxr.cryptoservice.kms.aliyuncs.com"); properties.put("keyId", "alias/acs/mse"); properties.put("kmsVersion", "v3.0"); properties.put("kmsClientKeyContent", "clientKey_content"); // Configure one of the kmsClientKeyContent and kmsClientKeyFilePath parameters. The kmsClientKeyContent parameter takes precedence. // properties.put("kmsClientKeyFilePath", "clientKey_hangzhou.json"); properties.put("kmsPasswordKey", "10xxxd1d"); properties.put("kmsCaFileContent", "ca_content"); // Configure one of the kmsCaFileContent and kmsCaFilePath parameters. The kmsCaFileContent parameter takes precedence. // properties.put("kmsCaFilePath", "ca.pem"); ConfigService configService = NacosFactory.createConfigService(properties); System.out.println("content:::"+configService.getConfig("cipher-kms-aes-256-dataid", "group", 6000)); } catch (Exception e) { e.printStackTrace(); }Parameters
The following table describes the parameters. Make sure that the values you configure are valid.
Parameter
Description
serverAddr
The IP address of your MSE Nacos instance.
accessKey
The AccessKey ID of your account.
NoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore this parameter.
secretKey
The AccessKey secret of your account.
NoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore this parameter.
regionId
Optional. The ID of the region where your MSE Nacos instance resides.
kms_region_id
Optional. The ID of the region where your KMS instance resides. If this parameter is left empty, the value of
regionIdis used.kmsEndpoint
The endpoint of your KMS instance.
keyId
The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console.
kmsVersion
The KMS version. Set this parameter to v3.0.
kmsClientKeyFilePath
The path of the file that stores the client key of the KMS instance. You can obtain the path when you create the AAP for the KMS instance.
kmsClientKeyContent
The client key of the KMS instance. You can obtain the client key when you create the AAP for the KMS instance.
NoteConfigure one of the
kmsClientKeyContentandkmsClientKeyFilePathparameters. ThekmsClientKeyContentparameter takes precedence.kmsPasswordKey
The password that corresponds to the client key of the KMS instance. You can obtain the password when you create the AAP for the KMS instance.
kmsCaFilePath
The path of the CA certificate that is used by the KMS instance. You can obtain the path when you create the AAP for the KMS instance.
kmsCaFileContent
The content of the CA certificate that is used by the KMS instance. You can obtain the content when you create the AAP for the KMS instance.
NoteConfigure one of the
kmsCaFileContentandkmsCaFilePathparameters. ThekmsCaFileContentparameter takes precedence.If you use the Spring Cloud Nacos Config framework to obtain configurations, you must add the following configurations:
spring.cloud.nacos.config.server-addr=mse-xxxxxxx-p.nacos-ans.mse.aliyuncs.com:8848 spring.cloud.nacos.config.name=cipher-kms-aes-256-dataid spring.cloud.nacos.config.group=group spring.cloud.nacos.config.access-key=MSE_AK spring.cloud.nacos.config.secret-key=MSE_SK spring.cloud.nacos.config.kms_region_id=cn-hangzhou spring.cloud.nacos.config.kmsEndpoint=kst-hzz6xxxr.cryptoservice.kms.aliyuncs.com spring.cloud.nacos.config.keyId=yourKeyIdOrKeyAlias spring.cloud.nacos.config.kmsVersion=v3.0 spring.cloud.nacos.config.kmsClientKeyFilePath=clientKey_hangzhou.json spring.cloud.nacos.config.kmsCaFilePath=clientKey_hangzhou.json spring.cloud.nacos.config.kmsPasswordKey=10xxxd1dNoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore the MSE_AK and MSE_SK configurations.
Nacos SDK for Go
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose .
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose .
Select a Namespace, find the desired configuration, and then click the data ID of the configuration in the Data ID column. On the configuration details page, click the Sample Code tab. In the left-side navigation pane of the Sample Code tab, click Go. Use the displayed sample code in your project.
Run the
go getcommand to download dependencies in theNacos client SDK for Go.go get -u github.com/nacos-group/nacos-sdk-go/v2@v2.2.5Version description
Stability issues may occur if the encryption and decryption plug-in version does not match the Nacos client version. We recommend that you use recommended versions.
Version supported by the plug-in
Nacos client version
KMS V3.0
V2.2.5 or later
Modify the initial configuration of the Nacos client.
Configure the {server - addr}, {AK}, {SK}, {client_key_content}, {password}, {endpoint}, and {ca.pem_content} parameters in the code based on your business requirements. Specify the
OpenKMS: trueandKMSVersion: KMSv3configurations to enable KMS-based encryption.sc := []constant.ServerConfig{ { IpAddr: "{server-addr}", // Configure the IP address of your MSE Nacos instance. Port: 8848, }, } var accessKey = "{AK}" // If RAM authentication is not enabled for your MSE Nacos instance, ignore this configuration. var secretKey = "{SK}" // If RAM authentication is not enabled for your MSE Nacos instance, ignore this configuration. cc := constant.ClientConfig{ NamespaceId: "public", // Configure the ID of the namespace. OpenKMS: true, // Enable KMS-based encryption. KMSVersion: KMSv3, // Use KMS V3.0. KMSv3Config: &KMSv3Config{ ClientKeyContent: "client_key.json"), Password: "password"), Endpoint: "endpoint"), CaContent: "ca.pem"), }, AccessKey: accessKey, SecretKey: secretKey, TimeoutMs: 5000, NotLoadCacheAtStart: true, LogDir: "/tmp/nacos/log", CacheDir: "/tmp/nacos/cache", RotateTime: "1h", MaxAge: 3, LogLevel: "debug", }Parameters
The following table describes the parameters. Make sure that the values you configure are valid.
Parameter
Description
serverAddr
The IP address of your MSE Nacos instance.
AK
The AccessKey ID of your account.
NoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore this parameter.
SK
The AccessKey secret of your account.
NoteIf RAM authentication is not enabled for your MSE Nacos instance, ignore this parameter.
KMSv3Config.Endpoint
The endpoint of your KMS instance.
KMSVersion
The KMS version. Set this parameter to v3.0.
KMSv3Config.ClientKeyContent
The client key of the KMS instance. You can obtain the client key when you create the AAP for the KMS instance.
KMSv3Config.Password
The password that corresponds to the client key of the KMS instance. You can obtain the password when you create the AAP for the KMS instance.
KMSv3Config.CaContent
The content of the CA certificate that is used by the KMS instance. You can obtain the content when you create the AAP for the KMS instance.
Publish the encrypted configuration.
configParam := vo.ConfigParam{ DataId: "cipher-kms-aes-256-crypt", Group: "default", Content: "cipher-aes-256", KmsKeyId: "key-xxx", // The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console. } published, err := client.PublishConfig(configParam) if published && err == nil { fmt.Printf("successfully publish: group[%s], dataId[%s], data[%s]\n", configParam.Group, configParam.DataId, configParam.Content) } else { fmt.Printf("failed to publish: group[%s], dataId[%s], data[%s]\n with error: %s\n", configParam.Group, configParam.DataId, configParam.Content, err) }
Troubleshooting
Troubleshooting of common errors
Perform the following steps:
Check whether the application runtime environment can connect to the VPC in which the MSE instance resides and the VPC in which the KMS instance resides.
NoteYou do not need to ensure the connectivity between the MSE instance and KMS instance.
Check whether KMS
V1.0orV3.0is used. If KMS V1.0 is used, you must make sure that KMS was activated before March 31, 2022.NoteIf you activate KMS after March 31, 2022, you must purchase Dedicated KMS. The encryption feature of KMS V1.0 is no longer available for new users.
Check whether the Nacos client version matches the version of the encryption and decryption plug-in. For more information, see version descriptions in this topic.
Troubleshooting of Nacos SDK for Java issues
Keywords of exception stacks in Nacos logs | Cause |
| The initialization parameter |
| The key ID specified by the initialization parameter |
| The initialization parameter |
| The endpoint specified by the initialization parameter |
| The initialization parameter |
| The value of the initialization parameter |
| The initialization parameter |
|
|
| The initialization parameter |
| The file that is specified by the initialization parameter |